Send the bill for what, exactly?<div><br></div><div>Let me be especially clear about something. I've been a supporter of ET for a while. When I'm asked at conferences what to use, I always say to evaluate both sets and pick one or both depending on your needs. I honestly believe that there is a place in an operations environment for both. I do not and would not trash the ET project.</div>
<div><br></div><div>However, it would be a solid waste of my time to troll through the ET list looking for sigs. The signatures are not written with the same goals we have, we have an exceptional degree of information coming in that is not publicly available and we don't have to do my collaboration over an email list. I can turn around and talk to five people whose duties include a substantial amount of daily rule writing. I have the Snort devs within 20 yards of me if I need them and at this point there is an exceptionally limited set of people who know more about the engine than I do.</div>
<div><br></div><div>I felt in this case that the level of exposure and the fact that the rule that was linked to would flat out not fire obligated me to say something. People depend on your sigs, like they depend on mine. This issue was high profile, and I"m not going to let petty competition cause people trusting that rule to not be protected.</div>
<div><br></div><div>Matt</div><div><br><div class="gmail_quote">On Thu, Feb 10, 2011 at 4:01 PM, Mike Cox <span dir="ltr"><<a href="mailto:mike.cox52@...2420...">mike.cox52@...2420...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hmmm ... this sounds like the sig I proposed to Emerging Threats this<br>
morning but got no feedback on.<br>
<br>
Sourcefire, please let me know where to send the bill.<br>
<br>
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN<br>
Night Dragon C&C Communication Outbound"; content:"|68 57 24 13|";<br>
offset:12; depth:4; http_body;<br>
pcre:"/[\x01\x03]\x50[\x00-\xff]+\x68\x57\x24\x13/P";<br>
classtype:trojan-activity;<br>
reference:url,<a href="http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf" target="_blank">www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf</a>;<br>